EVALUATION
The root cause is because com.sun.jck.lib.DistributedMultiTest is loaded by a URLClassLoader created in com/sun/jck/lib/ExecJCKTestSameJVMCmd.run method; instead of loaded by the PluginClassLoader. Therefore this class won't have the pluginversion.read permission, and in turn causes the AccessControlException later in the stack.
This is a special case we run into here, where the Applet uses a custom class loader to load some classes, and in turn call back into our very own plugin code later in the stack.
I will add the doPriviledged block in com.sun.deploy.Environment, where we read in javaplugin.version property, so plugin will works in this scenario as well.

2006-09-07

EVALUATION
After more investigation, I don't think it's our bug in plugin.
Plugin already specifically grant read permission to system property "javaplugin.version" via PluginClassLoader. A simple HelloWorld sandbox applet can read that property without problem.
In the JCK test, when it gets run, it replaces our own security manager and security policy with there specific manager, which does not have the permission to read javaplugin.version, and therefore the problem.
In the trace stack, you can see:
java.lang.ExceptionInInitializerError
at com.sun.deploy.cache.Cache.getCacheEntry(Cache.java:1134)
at com.sun.deploy.net.DownloadEngine.isUpdateAvailable(DownloadEngine.java:668)
at com.sun.deploy.cache.DeployCacheHandler.get(DeployCacheHandler.java:126)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:685)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:658)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981)
at javasoft.sqe.tests.api.java.net.distributed.NetDistributedTests$1.run(NetDistributedTests.java:437)
at javasoft.sqe.jck.lib.SecurityTestRunner.runTestWithTCKSM(SecurityTestRunner.java:278)
at javasoft.sqe.jck.lib.SecurityTestRunner.runTestWithPermissions(SecurityTestRunner.java:235)
at javasoft.sqe.jck.lib.SecurityTestRunner.runTestWithAllPermissions(SecurityTestRunner.java:157)
at javasoft.sqe.jck.lib.AllPermissionSM.testRun(AllPermissionSM.java:86)
at javasoft.sqe.tests.api.java.net.distributed.NetDistributedTests.distributed2001(NetDistributedTests.java:480)
The call to SecurityTestRunner.runTestWithTCKSM will actually replace the current plugin security manager and policy with the TCK specific one. So when it calls into plugin code, it does not have the read permission for javaplugin.version anymore, and hence the security exception.